--- title: "Data Act Audit Evidence And Request Logs FAQ" canonical_url: "https://www.sorena.io/artifacts/eu/data-act/faq/audit-evidence-and-request-logs" source_url: "https://www.sorena.io/artifacts/eu/data-act/faq/audit-evidence-and-request-logs" author: "Sorena AI" description: "FAQ for Data Act request logs covering user and third-party access, B2G exceptional need requests, cloud switching records, contract terms, trade secrets, and GDPR boundaries." published_at: "2026-05-06" updated_at: "2026-05-06" keywords: - "EU Data Act" - "Regulation (EU) 2023/2854" - "request logs" - "audit evidence" - "cloud switching" - "B2G exceptional need" --- **[SORENA](https://www.sorena.io/)** - AI-Powered GRC Platform [Home](https://www.sorena.io/) | [Solutions](https://www.sorena.io/solutions) | [Artifacts](https://www.sorena.io/artifacts) | [About Us](https://www.sorena.io/about-us) | [Contact](https://www.sorena.io/contact) | [Portal](https://app.sorena.io) --- # Data Act Audit Evidence And Request Logs FAQ FAQ for Data Act request logs covering user and third-party access, B2G exceptional need requests, cloud switching records, contract terms, trade secrets, and GDPR boundaries. *FAQ* *EU* *Data Act* ## EU Data Act Audit Evidence And Request Logs FAQ What to record when Data Act requests, refusals, safeguards, switching events, and contract decisions need to be explained later. Use this FAQ to design request logs for user and third-party access, public-sector exceptional need requests, cloud switching, trade secret safeguards, and GDPR handoffs. A Data Act audit file should not be a generic compliance folder. It should let a reviewer reconstruct what was requested, who made the request, which Data Act role applied, what data or service boundary was checked, what safeguard or exception was used, and what answer was sent. ## What should a Data Act request log prove for Audit Evidence And Request Logs implementation evidence? The Data Act context is the starting point for this answer. A request log should prove the route from intake to outcome. For connected-product and related-service data, record whether the requester is the user, a party acting on the user's behalf, or a third party chosen by the user. The log should identify the product or related service, requested data and metadata, format, timing, delivery route, and any refusal, suspension, limitation, compensation, or dispute route. Keep the log narrow. The Data Act allows data holders to verify user or third-party status, but it also says they should not require more information than necessary and should not keep access information beyond what is necessary for execution, security, and maintenance of the data infrastructure. - Minimum fields: request ID, requester identity and role, product or related service, data category, metadata needed to interpret the data, request channel, decision, delivery or refusal date, responsible owner, and cited Data Act article. - For user access, record whether data were directly accessible or had to be made available by the data holder in a structured, commonly used, machine-readable format. - For third-party sharing, record the user's instruction, third-party identity check, delivery format, and any Article 8, Article 9, trade secret, security, or GDPR condition that changed the response. Sources for this answer: - [Regulation (EU) 2023/2854 (Data Act)](https://eur-lex.europa.eu/eli/reg/2023/2854/oj/eng?ref=sorena.io) - Articles 3, 4, and 5 ground user and third-party access logs, including the limit on keeping more access information than necessary. - [European Commission - Data Act FAQs v1.4](https://ec.europa.eu/newsroom/dae/redirection/document/108144?ref=sorena.io) - Commission FAQ context for distinguishing raw and pre-processed product data from excluded inferred or derived information. ## How should teams record trade secret and security safeguards under the Data Act? The Data Act context is the starting point for this answer. Trade secret handling needs its own evidence trail. The log should identify the data marked as trade secrets, the trade secret holder, the agreed technical and organisational measures, and whether the measures were accepted, not implemented, undermined, or still insufficient in exceptional circumstances. A refusal or suspension should not be logged as a bare legal conclusion. The Data Act requires written substantiation for withholding, suspension, or case-by-case refusal based on serious economic damage, and notification to the competent authority in specified trade secret refusal scenarios. - Record the protected data, relevant metadata, trade secret holder, confidentiality measures, user or third-party commitments, and reviewer approval. - For withholding or suspension, keep the written reason, measures not agreed or not implemented, affected trade secrets, authority notification status, and user challenge route. - For security-based restrictions under Article 4, record the security requirement, expected serious adverse effect, scope of restriction, authority notification, and any narrower alternative offered. Sources for this answer: - [Regulation (EU) 2023/2854 (Data Act)](https://eur-lex.europa.eu/eli/reg/2023/2854/oj/eng?ref=sorena.io) - Articles 4, 5, and 11 ground confidentiality measures, written substantiation, authority notification, and technical protection measures. - [EUR-Lex Summary - Rules on fair access to and use of data](https://eur-lex.europa.eu/EN/legal-content/summary/rules-on-fair-access-to-and-use-of-data-data-act.html?ref=sorena.io) - EUR-Lex summary confirms that Data Act access rules include trade secret and intellectual property safeguards. ## What evidence belongs in a B2G exceptional need request file under the Data Act? The Data Act context is the starting point for this answer. For public-sector exceptional need requests, keep the incoming written request and a structured review record. The file should show the requesting body, legal task, exceptional need basis, specific data and metadata requested, purpose, intended use, deadline, erasure expectation, onward-sharing plan, and whether personal data, trade secrets, or cross-border procedure steps are involved. The Data Act gives data holders short challenge windows for these requests. A holder may decline or seek modification no later than five working days after receiving a public-emergency request, and no later than 30 working days for other exceptional need requests, when the statutory grounds apply. - Log whether the request is for a public emergency or another legally defined public-interest task, and whether the Article 15 conditions are demonstrated. - Check that the request is written in clear language, specific, proportionate, tied to data the holder controls, and transmitted or published through the required public channel. - If declining or seeking modification, keep the ground relied on, response date, prior similar request details if relevant, correspondence, and competent-authority referral status. Sources for this answer: - [Regulation (EU) 2023/2854 (Data Act)](https://eur-lex.europa.eu/eli/reg/2023/2854/oj/eng?ref=sorena.io) - Articles 14 to 22 ground B2G exceptional need intake, request contents, modification grounds, safeguards, onward sharing, and erasure records. - [European Commission - Data Act FAQs v1.4](https://ec.europa.eu/newsroom/dae/redirection/document/108144?ref=sorena.io) - Commission FAQ explains practical checks for cross-border public-sector requests, Article 17 validity, onward sharing, and repetitive requests. ## What should cloud switching logs and export evidence contain under the Data Act? The Data Act context is the starting point for this answer. For data processing services, the audit file should connect the customer's switching notice to the contract clauses, export inventory, transition timeline, assistance provided, risks communicated, security controls, retrieval period, erasure step, and switching charges. It should also show whether the service is IaaS, PaaS, SaaS, custom-built, or a limited testing version because the technical obligations can differ. The Data Act requires contracts to include switching clauses, a maximum notice period not exceeding two months, a mandatory maximum transition period of 30 calendar days, at least 30 calendar days for data retrieval, and a 14 working day notification if the 30-day transition is technically unfeasible and an alternative transition period is needed. - Record notice date, requested action, destination provider or on-premises target, exportable data, digital assets, excluded internal-provider data, assistance offered, continuity risks, and security measures during transfer. - Keep the provider's online register reference for data structures, formats, standards, and open interoperability specifications used for export. - For switching charges, record whether the charge is a reduced charge during the transition period or prohibited from 12 January 2027, and keep the calculation basis rather than publishing unsupported penalty figures. Sources for this answer: - [Regulation (EU) 2023/2854 (Data Act)](https://eur-lex.europa.eu/eli/reg/2023/2854/oj/eng?ref=sorena.io) - Articles 23 to 30 ground switching notices, contract clauses, exportable data, retrieval, erasure, charges, open interfaces, and export format evidence. - [European Commission - Data Act FAQs v1.4](https://ec.europa.eu/newsroom/dae/redirection/document/108144?ref=sorena.io) - Commission FAQ explains the relationship between notice period, transition period, charge withdrawal, and PaaS/SaaS switching obligations. ## Which contract evidence should be kept for Data Act audit review? The Data Act context is the starting point for this answer. Keep a contract-term register for data access, use, compensation, remedies, termination, switching, and cloud exit. For B2B data access and use, the register should flag terms that were unilaterally imposed and explain whether they could be unfair under Article 13. For cloud contracts, keep the written switching clauses and the website disclosures that the contract points to. Do not treat Commission model terms or standard contractual clauses as mandatory templates. The Commission FAQ says the model contractual terms and standard contractual clauses are non-binding and adaptable, so the audit file should show whether they were considered, accepted, adapted, or not used. - For Article 13 review, record the clause, supplier or customer role, whether negotiation was possible, the business impact, and the final approval or fallback text. - For data sharing compensation, keep the calculation basis, cost categories, volume or format assumptions, SME or research organisation status if relevant, and dispute route. - For cloud switching clauses, keep the signed contract version, pre-contract copy provided to the customer, exit strategy support record, retrieval and erasure clauses, and charge disclosures. Sources for this answer: - [Regulation (EU) 2023/2854 (Data Act)](https://eur-lex.europa.eu/eli/reg/2023/2854/oj/eng?ref=sorena.io) - Articles 9, 12, 13, 25, 26, 28, 29, and 41 ground compensation, unfair terms, cloud switching clauses, website disclosures, and model terms. - [European Commission - Data Act FAQs v1.4](https://ec.europa.eu/newsroom/dae/redirection/document/108144?ref=sorena.io) - Commission FAQ confirms the scope and non-binding status of model contractual terms and cloud standard contractual clauses. ## How should the GDPR boundary appear in request logs under the Data Act? The Data Act does not supersede GDPR analysis. If the requested dataset contains personal data, the log should show the GDPR legal basis, special-category conditions if relevant, ePrivacy check where relevant, data minimisation steps, and whether anonymisation or pseudonymisation was used before disclosure. The most important boundary is when the user is not the data subject. In that case, the Data Act does not itself create a legal basis for giving the user or a third party access to another person's personal data. The log should show whether the personal data were filtered, anonymised, pseudonymised, limited to the user's own data, or escalated to privacy counsel. - Tag each request as non-personal, personal, mixed, anonymised, pseudonymised, or escalated because a valid GDPR basis is missing. - For B2G requests involving personal data, keep the requester's Article 17 privacy safeguards, supervisory-authority notification, anonymisation or pseudonymisation decision, and erasure record. - For cloud and international-government-access records, separate non-personal Data Act safeguards from GDPR transfer records for personal data. Sources for this answer: - [Regulation (EU) 2023/2854 (Data Act)](https://eur-lex.europa.eu/eli/reg/2023/2854/oj/eng?ref=sorena.io) - Recital 7 and Articles 4, 17, 18, 19, and 37 ground the GDPR boundary, personal-data safeguards, anonymisation, pseudonymisation, and DPA competence. - [European Commission - Data Act FAQs v1.4](https://ec.europa.eu/newsroom/dae/redirection/document/108144?ref=sorena.io) - Commission FAQ confirms that data protection authorities remain responsible for Data Act monitoring where personal data protection is concerned. ## How much should the log retain, and what should not be retained under the Data Act? The log should retain enough to prove compliance, but not become an unnecessary surveillance record. For user and third-party access requests, the Data Act expressly limits verification information and access logs to what is necessary for sound execution of the request and for security and maintenance of the data infrastructure. For B2G requests, retain the request, review, transfer, onward-sharing notice, erasure notice, complaint correspondence, and compensation basis where relevant. For smart contracts used to execute data sharing agreements, retain transactional data, smart contract logic, and code where necessary to preserve auditability after termination or deactivation. - Retain decision evidence: request, classification, source article, data map, safeguard, response, delivery proof, refusal reason, authority notice, dispute or complaint record, and closure step. - Do not retain extra identity, access, or log data merely because the Data Act request occurred; tie retention to execution, security, maintenance, dispute handling, or another documented legal basis. - Use separate retention labels for product-data access, third-party sharing, B2G exceptional need, cloud switching, third-country authority requests, and contract-term review. Sources for this answer: - [Regulation (EU) 2023/2854 (Data Act)](https://eur-lex.europa.eu/eli/reg/2023/2854/oj/eng?ref=sorena.io) - Articles 4, 5, 19, 21, 32, and 36 ground request-log minimisation, erasure notices, third-country request records, and smart-contract auditability. - [European Commission - Data Act Legal Helpdesk](https://digital-strategy.ec.europa.eu/en/policies/data-act-legal-helpdesk?ref=sorena.io) - Commission helpdesk page confirms practical support channels for Data Act access, sharing, cloud switching, user rights, and interoperability questions. ## What practical request-log schema should teams implement first under the Data Act? The Data Act context is the starting point for this answer. Start with one register that can route a request into separate workflows. The register should not decide the law by itself; it should preserve the facts needed for legal, support, product, security, procurement, cloud, and privacy owners to make the right decision quickly. A practical schema uses required fields, controlled values, and attachments. It should be tested against at least five cases: user access to connected-product data, user-directed third-party sharing, trade secret limitation, B2G exceptional need request, and cloud switching or export request. - Core fields: request type, requester, Data Act actor role, product or service, data category, personal-data status, trade secret status, contract reference, deadline, owner, decision, source article, response, and closure evidence. - Workflow fields: identity check completed, data map linked, safeguard selected, format selected, authority or DPA notification needed, compensation or charge basis, dispute route, and escalation owner. - Closure fields: data delivered, refusal or modification reason, third party or public body notified, retrieval or erasure completed, complaint or dispute filed, and next review trigger. Sources for this answer: - [Regulation (EU) 2023/2854 (Data Act)](https://eur-lex.europa.eu/eli/reg/2023/2854/oj/eng?ref=sorena.io) - The binding Data Act text supplies the source articles for the register fields across access, safeguards, B2G, switching, contracts, and enforcement. - [European Commission - Data Act FAQs v1.4](https://ec.europa.eu/newsroom/dae/redirection/document/108144?ref=sorena.io) - Commission FAQ provides implementation context for common request scenarios, including product data, B2G requests, cloud switching, and enforcement. ## What Data Act source evidence should teams keep for the Audit Evidence And Request Logs FAQ decision? For audit evidence and request logs, teams should keep the exact source URL, the Data Act article or recital relied on, the question being answered, the owner who approved the interpretation, and the date the decision was made. The file should also show which workflow the decision affects so a future reviewer can reopen the same legal conclusion without starting over. Teams should not rely on a one-line citation alone. Keep the specific extract, the implementation note, and any follow-up check that shows how the decision was applied in a request log, contract register, or switching file. - Record the source URL, cited article or recital, and the exact policy or workflow that depends on it. - Attach the implementing note, owner approval, and a dated review status so the rationale can be traced later. - Link the evidence to the live artifact it supports, such as the request-log field list, refusal template, or switching checklist. Sources for this answer: - [Regulation (EU) 2023/2854 (Data Act)](https://eur-lex.europa.eu/eli/reg/2023/2854/oj/eng?ref=sorena.io) - Use the regulation itself as the anchor source for the cited article, recital, and workflow decision. - [European Commission - Data Act FAQs v1.4](https://ec.europa.eu/newsroom/dae/redirection/document/108144?ref=sorena.io) - The FAQ is a useful implementation source when the decision depends on practical interpretation rather than the black-letter text alone. ## How should teams assign ownership for Data Act Audit Evidence And Request Logs implementation work? For audit evidence and request logs, the Data Act workflow should name one accountable owner for each decision point. That owner should be the person who can update the log template, approve the evidence standard, or sign off the relevant legal interpretation when the workflow changes. If more than one team is involved, record consulted teams separately. Legal, privacy, product, support, security, cloud, and procurement may all contribute, but the file should still show a single named owner for the final implementation decision. - Assign a primary owner by workflow: access logs, trade secret handling, B2G requests, cloud switching, contract review, or retention. - List secondary contributors only as consulted reviewers or evidence providers, not as shared owners of the same decision. - Record the escalation path for unresolved issues, including the team that can approve a revised template or reopen the analysis. Sources for this answer: - [Regulation (EU) 2023/2854 (Data Act)](https://eur-lex.europa.eu/eli/reg/2023/2854/oj/eng?ref=sorena.io) - The regulation's enforcement and role-allocation provisions support clear ownership across data access, switching, B2G, and compliance workflows. - [European Commission - Data Act Legal Helpdesk](https://digital-strategy.ec.europa.eu/en/policies/data-act-legal-helpdesk?ref=sorena.io) - The helpdesk's practical guidance model supports assigning one responsible owner who can submit questions and apply the answer to a workflow. ## Which Data Act implementation evidence makes the Audit Evidence And Request Logs answer usable later? For Data Act audit evidence and request logs, the most useful evidence is evidence that can be reused in the next case. Keep artifacts that show how the team classified the request, what fields were required, what exception or safeguard was applied, and what source text supported the choice. The goal is not to collect every document. It is to preserve the minimum set that lets a later reviewer reproduce the same decision in a similar case without guessing which article, deadline, or authority applied. - Keep the source extract, the completed template, and one worked example for each workflow. - Retain the decision memo or approval note that ties the evidence to a concrete Data Act article or recital. - Store the version history so future updates can see when a field or template was changed and why. Sources for this answer: - [Regulation (EU) 2023/2854 (Data Act)](https://eur-lex.europa.eu/eli/reg/2023/2854/oj/eng?ref=sorena.io) - The regulation provides the legal anchors for the reusable evidence set across user access, trade secrets, B2G, contracts, and cloud switching. - [European Commission - Data Act FAQs v1.4](https://ec.europa.eu/newsroom/dae/redirection/document/108144?ref=sorena.io) - The FAQ helps show which practical interpretation should be preserved alongside the legal source. ## When should the Data Act Audit Evidence And Request Logs FAQ answer be reviewed again by the team? For audit evidence and request logs, the Data Act answer should be reviewed when a workflow changes, when the source text changes, or when a new request pattern appears that the current template does not capture well. The answer should also be revisited after team ownership changes or when a new regulator or helpdesk position affects the interpretation. A review date alone is not enough. The team should also set an event trigger, such as a contract refresh, a cloud migration, a new B2G request type, or a Data Act enforcement update, so the review happens when the evidence really needs to change. - Review after any change to the request process, contract wording, retention rule, or escalation path. - Review when a new Data Act article, recital, FAQ update, or Commission helpdesk answer changes the underlying interpretation. - Review when a real case reveals a missing field, duplicate field, or unclear ownership assignment in the log template. Sources for this answer: - [Regulation (EU) 2023/2854 (Data Act)](https://eur-lex.europa.eu/eli/reg/2023/2854/oj/eng?ref=sorena.io) - Use the regulation as the baseline for review triggers tied to the relevant Data Act obligations. - [European Commission - Data Act FAQs v1.4](https://ec.europa.eu/newsroom/dae/redirection/document/108144?ref=sorena.io) - The FAQ should be checked again whenever a practical implementation answer may have shifted. ## Primary sources - [Regulation (EU) 2023/2854 (Data Act)](https://eur-lex.europa.eu/eli/reg/2023/2854/oj/eng?ref=sorena.io) - Binding source for Data Act request handling, trade secret safeguards, B2G exceptional need requests, contract terms, cloud switching, GDPR boundaries, and enforcement records. - [European Commission - Data Act FAQs v1.4](https://ec.europa.eu/newsroom/dae/redirection/document/108144?ref=sorena.io) - Commission FAQ used for practical interpretation of product-data scope, B2G request checks, cloud switching timelines, non-binding contract terms, and DPA enforcement roles. - [European Commission - Data Act Legal Helpdesk](https://digital-strategy.ec.europa.eu/en/policies/data-act-legal-helpdesk?ref=sorena.io) - Commission helpdesk page used only to point readers to official practical support for Data Act access, sharing, user rights, cloud switching, and interoperability questions. - [EUR-Lex Summary - Rules on fair access to and use of data](https://eur-lex.europa.eu/EN/legal-content/summary/rules-on-fair-access-to-and-use-of-data-data-act.html?ref=sorena.io) - EUR-Lex summary used for concise confirmation of the Data Act's main topics, including third-party sharing, trade secret safeguards, unfair contracts, B2G access, and cloud switching. - [European Commission - Data Act explained](https://digital-strategy.ec.europa.eu/en/factpages/data-act-explained?ref=sorena.io) - Commission overview for Data Act chapters, connected-product access, B2G requests, cloud switching, interoperability, and implementation support. ## Topic Guides - [Data Act and Common European Data Spaces](/artifacts/eu/data-act/data-act-and-common-european-data-spaces.md): How Data Act Article 33 connects data-space participation with metadata, vocabularies, APIs, access terms, data quality, governance, and standards monitoring. - [Data Act and Data Governance Act Overlap FAQ](/artifacts/eu/data-act/faq/data-governance-act-overlap.md): FAQ explaining where the EU Data Act and Data Governance Act overlap, how they differ, and how to route product, cloud, public-sector reuse, intermediary, and data altruism workflows. - [Data Act and GDPR Personal Data Overlap FAQ](/artifacts/eu/data-act/faq/gdpr-personal-data-overlap.md): FAQ on how the EU Data Act works when connected-product or related-service data includes personal data, mixed datasets, GDPR roles, lawful basis, trade secrets, and third-party sharing. - [Data Act B2B Data-Sharing Contract Clauses](/artifacts/eu/data-act/b2b-data-sharing-contract-clauses.md): Clause guide for EU Data Act B2B data sharing: FRAND terms, compensation, trade secret safeguards, recipient limits, termination, logs, and GDPR boundaries. - [Data Act B2B Data-Sharing Contract Template](/artifacts/eu/data-act/b2b-data-sharing-contract-template.md): A usable EU Data Act B2B data-sharing template outline covering access requests, data schedules, permitted use, trade secrets, security, compensation, GDPR boundaries, audit records, and termination. - [Data Act B2G Exceptional-Need Requests](/artifacts/eu/data-act/b2g-exceptional-need-requests.md): A grounded guide to EU Data Act Chapter V requests from public bodies: exceptional need, public emergencies, request contents, limits, safeguards, costs, and records. - [Data Act Cloud Switching Compliance Checklist](/artifacts/eu/data-act/cloud-switching-compliance-checklist.md): A grounded EU Data Act checklist for cloud and data processing service providers covering switching clauses, notices, export formats, charges, interoperability, and evidence. - [Data Act Cloud Switching Contract Terms FAQ](/artifacts/eu/data-act/faq/cloud-switching-contract-terms.md): FAQ on EU Data Act cloud switching contract terms: Article 25 clauses, assistance, notice, transition, charges, export, termination, interoperability, and records. - [Data Act Cloud Switching Fees And Deadlines FAQ](/artifacts/eu/data-act/faq/cloud-switching-fees-and-deadlines.md): FAQ on EU Data Act cloud switching charges, 2027 fee removal, notice periods, transition windows, data retrieval, contract terms, and evidence records. - [Data Act Complaints and Dispute Settlement FAQ](/artifacts/eu/data-act/faq/complaints-and-dispute-settlement.md): FAQ on EU Data Act complaints, competent authorities, dispute settlement bodies, B2B data-sharing disputes, B2G requests, cloud switching disputes, and evidence records. - [Data Act Exportable Data and Metadata FAQ](/artifacts/eu/data-act/faq/exportable-data-and-metadata.md): FAQ explaining which product, related service, metadata, and cloud switching data must be exportable under the EU Data Act, and which data can be excluded. - [Data Act FAQ for Aftermarket Repair and Mobility Services](/artifacts/eu/data-act/faq/aftermarket-repair-and-mobility-services.md): FAQ on EU Data Act vehicle-data access for repairers, independent service providers, fleets, insurers, and mobility services. - [Data Act Functional Equivalence FAQ](/artifacts/eu/data-act/faq/functional-equivalence.md): FAQ on Data Act functional equivalence for cloud switching: IaaS scope, customer outcomes, export support, interoperability duties, limits, and evidence. - [Data Act Indirect Access Request Flows FAQ](/artifacts/eu/data-act/faq/indirect-access-request-flows.md): FAQ for Data Act teams handling user and third-party data requests when direct connected-product access is unavailable, incomplete, or limited. - [Data Act International Government Access FAQ](/artifacts/eu/data-act/faq/international-government-access.md): FAQ on EU Data Act safeguards for non-EU government access to non-personal data held in the Union by data processing service providers. - [Data Act Interoperability Standards FAQ](/artifacts/eu/data-act/faq/interoperability-standards.md): FAQ on EU Data Act interoperability standards for data spaces, cloud switching, smart contracts, harmonised standards, common specifications, and M/614. - [Data Act Model Contractual Terms FAQ](/artifacts/eu/data-act/faq/model-contractual-terms.md): FAQ on the EU Data Act non-binding model contractual terms for data access and use, cloud switching clauses, B2B use, unfair terms, and evidence. - [Data Act Public Emergency Requests FAQ](/artifacts/eu/data-act/faq/public-emergency-requests.md): FAQ on EU Data Act public emergency requests: exceptional need, request content, timing, data holder response, compensation, confidentiality, and records. - [Data Act Smart Contracts for Data Sharing](/artifacts/eu/data-act/smart-contracts-for-data-sharing.md): Data Act Article 36 smart contract guide for data-sharing agreements: scope, robustness, access control, termination, interruption, archiving, standards status, and conformity evidence. - [Data Act SME Exceptions and Startups FAQ](/artifacts/eu/data-act/faq/sme-exceptions-and-startups.md): FAQ on where the EU Data Act gives micro, small, medium-sized, startup, and SME actors narrower treatment for access duties, compensation, and B2B terms. - [Data Act Trade Secret Technical Protection Measures FAQ](/artifacts/eu/data-act/faq/trade-secret-technical-protection-measures.md): FAQ on how EU Data Act data holders can protect trade secrets with confidentiality safeguards, technical measures, limited withholding, suspension, refusal, and evidence. - [Data Act Trade Secrets and Protection Measures](/artifacts/eu/data-act/trade-secrets-and-protection.md): Data Act guide for protecting trade secrets during access and sharing: classification, safeguards, refusal thresholds, notices, evidence records, and reviews. - [Data Act Unfair Contractual Terms | Article 13 B2B Contract Review](/artifacts/eu/data-act/unfair-contractual-terms.md): Review B2B data-sharing clauses under EU Data Act Article 13: unilateral terms, always unfair examples, presumed unfair terms, model clauses, evidence, and remediation. - [Data Act Vehicle Data Guidance](/artifacts/eu/data-act/vehicle-data-guidance.md): Commission-grounded guide to Data Act vehicle data access: connected vehicles, vehicle-related services, raw and pre-processed data, aftermarket use cases, access routes, safeguards, and GDPR boundaries. - [Data Act vs GDPR: connected-product data access](/artifacts/eu/data-act/data-act-vs-gdpr.md): Compare EU Data Act connected-product access duties with GDPR personal-data rules: scope, roles, lawful basis, data subject rights, third-party sharing, trade secrets, and conflicts. - [EU Data Act and Common European Data Spaces FAQ](/artifacts/eu/data-act/faq/data-act-and-common-european-data-spaces.md): FAQ on how EU Data Act interoperability duties, Data Governance Act rules, and sector data-space governance fit together without treating participation as a general obligation. - [EU Data Act Applicability Test](/artifacts/eu/data-act/applicability-test.md): Check whether a product, related service, data holder, cloud service, data-space role, smart contract, or B2G request is in scope of the EU Data Act. - [EU Data Act Application Dates And Transition FAQ](/artifacts/eu/data-act/faq/application-dates-and-transition.md): FAQ on when the EU Data Act applies, which obligations are delayed, and what product, contract, cloud, and evidence records teams should maintain. - [EU Data Act Article 3 Pre-Contract Information](/artifacts/eu/data-act/pre-contractual-information-obligations.md): What Article 3 of the EU Data Act requires before connected-product purchase, rent, lease, or related-service contracting: data categories, access, data holder identity, third-party sharing, complaints, and evidence. - [EU Data Act Article 36 Smart Contract Controls FAQ](/artifacts/eu/data-act/faq/article-36-smart-contract-controls.md): FAQ explaining when EU Data Act Article 36 applies to smart contracts for data-sharing agreements and what controls, conformity evidence, and limits it requires. - [EU Data Act B2B Data Sharing Compensation FAQ](/artifacts/eu/data-act/faq/compensation-for-b2b-data-sharing.md): FAQ on when Data Act data holders may charge B2B data recipients, what reasonable compensation can include, SME limits, unfair terms, disputes, and trade secret safeguards. - [EU Data Act B2G Compensation and Costs FAQ](/artifacts/eu/data-act/faq/b2g-compensation-and-costs.md): FAQ on when Data Act B2G exceptional-need requests are free, when fair compensation may be claimed, which costs can be included, and what records to keep. - [EU Data Act B2G Exceptional Need FAQ](/artifacts/eu/data-act/faq/b2g-exceptional-need.md): When public-sector bodies can request business-held data under the EU Data Act, what a valid request must contain, and how data holders handle limits, trade secrets, compensation, and evidence. - [EU Data Act Checklist for Product, Cloud, and Contract Teams](/artifacts/eu/data-act/checklist.md): A grounded EU Data Act checklist for connected-product data access, third-party sharing, B2G requests, cloud switching, unfair terms, smart contracts, personal data boundaries, evidence, and owners. - [EU Data Act Cloud Switching and Exit Plans](/artifacts/eu/data-act/cloud-switching-and-exit-plans.md): A grounded EU Data Act guide for data processing service exit plans: switching contracts, exportable data, assistance, charges, interoperability, retrieval, erasure, and records. - [EU Data Act Cloud Switching Procurement FAQ](/artifacts/eu/data-act/faq/cloud-switching-procurement-checklist.md): Procurement checklist FAQ for EU Data Act cloud switching: contract terms, exit support, exportable data, switching charges, interoperability, termination, and supplier evidence. - [EU Data Act Compliance Program](/artifacts/eu/data-act/compliance.md): Build a Data Act compliance program for connected-product data access, contracts, B2G requests, cloud switching, smart contracts, GDPR boundaries, records, and ownership. - [EU Data Act Connected Product Scope and Data Types](/artifacts/eu/data-act/scope-connected-products-and-data-types.md): Classify EU Data Act connected products, related services, product data, related-service data, readily available data, metadata, and excluded derived outputs. - [EU Data Act Connected Product Scope FAQ](/artifacts/eu/data-act/faq/scope-connected-products.md): FAQ explaining when connected products, related services, generated data, EU market placement, and SME exceptions fall within EU Data Act scope. - [EU Data Act Data Processing Service Switching](/artifacts/eu/data-act/data-processing-services-switching.md): A grounded EU Data Act guide for provider and customer switching duties: exit assistance, exportable data, contract clauses, charges, interoperability, retrieval, and erasure. - [EU Data Act data spaces interoperability FAQ](/artifacts/eu/data-act/faq/data-spaces-interoperability.md): FAQ explaining Article 33 Data Act interoperability requirements for data-space participants, common European data spaces, standards, APIs, metadata, and architecture evidence. - [EU Data Act deadlines and compliance calendar](/artifacts/eu/data-act/deadlines-and-compliance-calendar.md): A source-linked calendar for EU Data Act application dates, product design timing, contract remediation, cloud switching charges, response periods, standards work, and evidence records. - [EU Data Act Direct Access by Design FAQ](/artifacts/eu/data-act/faq/direct-access-by-design.md): FAQ for product and legal teams designing user access to connected-product and related-service data under the EU Data Act. - [EU Data Act Enforcement And Competent Authorities FAQ](/artifacts/eu/data-act/faq/enforcement-and-competent-authorities.md): FAQ on who enforces the EU Data Act, how complaints work, how Member States set penalties, when dispute settlement can be used, and when GDPR authorities remain responsible. - [EU Data Act FAQ: scope, access rights, B2G, cloud switching, GDPR, and dates](/artifacts/eu/data-act/faq.md): Grounded EU Data Act FAQ index covering connected-product data access, third-party sharing, B2G exceptional need, cloud switching, smart contracts, GDPR boundaries, unfair terms, trade secrets, and application dates. - [EU Data Act Non-Emergency Public-Sector Requests FAQ](/artifacts/eu/data-act/faq/non-emergency-public-sector-requests.md): FAQ on EU Data Act requests where a public body claims exceptional need outside a public emergency, including scope, request contents, limits, compensation, confidentiality, and evidence. - [EU Data Act Non-Personal Data and Mixed Datasets FAQ](/artifacts/eu/data-act/faq/non-personal-data-and-mixed-datasets.md): FAQ on how the EU Data Act treats non-personal data, mixed datasets, GDPR precedence, user and third-party access, trade-secret limits, and evidence records. - [EU Data Act Penalties and Enforcement](/artifacts/eu/data-act/penalties-and-fines.md): Grounded guide to Data Act penalties under Article 40, Member State enforcement, penalty factors, complaints, judicial remedies, and the GDPR enforcement boundary. - [EU Data Act Pre-Contractual Information FAQ](/artifacts/eu/data-act/faq/pre-contractual-information.md): FAQ on EU Data Act Article 3 pre-contract information for connected products and related services, including data categories, access methods, data holder identity, third-party sharing, and GDPR boundaries. - [EU Data Act Product Data vs Related Service Data FAQ](/artifacts/eu/data-act/faq/product-data-and-service-data.md): FAQ explaining how the EU Data Act separates connected product data, related service data, readily available raw and pre-processed data, metadata, and inferred or derived outputs. - [EU Data Act Readily Available Data FAQ](/artifacts/eu/data-act/faq/readily-available-data.md): FAQ on what counts as readily available data under the EU Data Act, including product data, related service data, metadata, inferred data, and access mechanics. - [EU Data Act Related Services FAQ](/artifacts/eu/data-act/faq/related-services.md): FAQ explaining when software is a Data Act related service, how it links to connected products, which product and service data are in scope, and what exclusions apply. - [EU Data Act requirements](/artifacts/eu/data-act/requirements.md): Source-grounded EU Data Act requirements for connected-product data access, B2B sharing terms, B2G exceptional needs, cloud switching, smart contracts, interoperability, GDPR boundaries, and records. - [EU Data Act Smart Contracts for Data Sharing FAQ](/artifacts/eu/data-act/faq/smart-contracts-for-data-sharing.md): Answers on Article 36 Data Act smart-contract requirements for data sharing: scope, robustness, access control, termination, archiving, conformity assessment, contract terms, and standards status. - [EU Data Act Third-Party Data Sharing FAQ](/artifacts/eu/data-act/faq/third-party-data-sharing.md): FAQ on user-directed third-party data sharing under the EU Data Act, covering data holder duties, recipient limits, trade secrets, security, GDPR, and gatekeepers. - [EU Data Act Trade Secret Safeguards FAQ](/artifacts/eu/data-act/faq/trade-secrets-safeguards.md): FAQ on protecting trade secrets when handling EU Data Act user and third-party data access requests, including safeguards, withholding, suspension, refusal, notices, and records. - [EU Data Act Unfair Contractual Terms FAQ](/artifacts/eu/data-act/faq/unfair-contractual-terms.md): FAQ on Article 13 of the EU Data Act: B2B unfair contract terms, unilateral take-it-or-leave-it clauses, always-unfair terms, presumed-unfair terms, SMEs, model terms, and review evidence. - [EU Data Act User Access and Portability Rights](/artifacts/eu/data-act/access-rights-and-portability.md): Practical guide to EU Data Act user access, connected-product data portability, third-party sharing, trade secret safeguards, and the GDPR boundary. - [EU Data Act Users, Data Holders, and Recipients FAQ](/artifacts/eu/data-act/faq/users-data-holders-and-recipients.md): FAQ explaining Data Act users, data holders, data recipients, connected products, related services, user access, third-party limits, and GDPR boundaries. - [EU Data Act Vehicle Data Guidance FAQ](/artifacts/eu/data-act/faq/vehicle-data-guidance.md): FAQ on EU Data Act vehicle data guidance for connected vehicles, aftermarket repair, mobility services, third-party access, trade secrets, security, and GDPR boundaries. - [EU Data Act vs Data Governance Act](/artifacts/eu/data-act/data-act-vs-data-governance-act.md): Compare the EU Data Act with the Data Governance Act: connected-product access, cloud switching, B2B/B2G duties, protected public-sector reuse, intermediaries, altruism, governance, and enforcement. *Recommended next step* *Placement: after implementation section* ## Build Data Act Request Logs Turn Data Act access, refusal, safeguard, B2G, cloud switching, and contract decisions into request-log fields that product, support, legal, security, procurement, and privacy teams can maintain. - [Open Research Copilot](/solutions/research-copilot.md): Get cited answers on Data Act request logs, safeguards, cloud switching, and adjacent evidence obligations. - [Discuss Data Act Evidence](/contact.md): Review request-log fields and evidence records for Data Act product, contract, cloud, B2G, and privacy workflows. --- [Privacy Policy](https://www.sorena.io/privacy) | [Terms of Use](https://www.sorena.io/terms-of-use) | [DMCA](https://www.sorena.io/dmca) | [About Us](https://www.sorena.io/about-us) (c) 2026 Sorena AB (559573-7338). All rights reserved. Source: https://www.sorena.io/artifacts/eu/data-act/faq/audit-evidence-and-request-logs